On Sun, 25 Jan 2009, Technical Home wrote: [given]
olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem olcTLSCertificateFile: /etc/ssl/certs/SERVER.crt olcTLSCertificateKeyFile: /etc/ssl/private/cakey.pem
[we get]
root@SERVER:~# slapd -h 'ldap://127.0.0.1:389 ldaps://192.168.1.200:636' -g openldap -u openldap -F /etc/ldap/slapd.d/ -d 16383 @(#) $OpenLDAP: slapd 2.4.11 (Oct 24 2008 23:44:05) $ buildd@palmer:/build/buildd/openldap-2.4.11/debian/build/servers/slapd main: TLS init def ctx failed: -207 slapd stopped. connections_destroy: nothing to destroy.
[which is]
ssl.h, 207 code refers to the macro "#define SSL_F_SSL_VERIFY_CERT_CHAIN
Are you sure that all of these files are readable as group/user "openldap"?
Make sure that those options really are present/being parsed properly, perhaps by setting debug level "config" and/or looking for open() with strace or similar. Actually, a strace on open() would be the appropriate test for my EPERM theory, too. If they're not....upgrade to the latest available version. There were some back-config fixes in 2.4.13, for example.